a locked startup disk is not a good idea, if it is even possible. Most applications setup scratch space on the startup volume. It would be a better idea to setup a partition for applications and lock it, if you feel that is necessary. Norton DiskLock is a nice tool that provides a startup password protection as well as screensaver password. It will request a password if the machine sleeps or to reboot after a crash. A. Gulkis ------------------------------------------------------------------- Electronic and Time Based media? whats that? http://valhalla.res.cmu.edu/vidarr/ President, Screaming Viking Research Labs Reinventing Perceptions of Reality pgp key: finger vidarr@valhalla.res.cmu.edu ------------------------------------------------------------------- tom bryce <tjb@acpub.duke.edu> writes:

Here's a question: if one were designing for oneself a secure personal computer system, for use in, say, word processing, spreadsheet, communications, the usuals - what system would one purchase and how would one set it up?

For example, on the Mac I would envision this as the ideal system:

(1) Get a power mac (2) Partition the hard drive into two partitions: install the system folder on one and a copy of CryptDisk make this the startup partition and make it READ ONLY with aliases to folders you want to be modiyfable (such as Eudora Folder in the sys folder) place these folders on the encrypted partition (3) Completely fill the other partition with a CryptDisk file so there is no room for other stuff to be written. Adjust the partition size if needed. (4) Install a screen saver (such as shareware Eclipse) that will password lock the screen after a few minutes of inactivity, and set CryptDisk to dismount the external partition after a few minutes of inactivity (or longer)

This would be a basic setup. If one had more complex ideas, such as setting it up so casual onlookers would not notice the system was protected, you could do things like have a decoy normal partition with system folder to boot from by default, to be bypassed with an external locked system folder disk, after which one could dismount the decoy partition and mount the encrypted partition.

If locking the startup volume turns out to be too much of a pain, one could install trashguard from Highware software and set it to triple overwrite deleted files, and otherwise not lock the startup partition.

How would things work on Windows 95? I imagine most of the old DOS-based encryption utilities may have compatibility problems with W95. What would a similar ideal system be for a PC?

Tom

-----BEGIN PGP SIGNED MESSAGE----- Adam Gulkis <lordvidarr+@CMU.EDU> writes:

a locked startup disk is not a good idea, if it is even possible. Most applications setup scratch space on the startup volume.

It is possible, although it does break things, for example ResEdit and AppleTalk. Then again, locking a disk doesn't gain you much security.

It would be a better idea to setup a partition for applications and lock it, if you feel that is necessary. Norton DiskLock is a nice tool that provides a startup password protection as well as screensaver password. It will request a password if the machine sleeps or to reboot after a crash.

A good locking screen saver is essential, however, a driver level password checker (which is what I assume Norton is) is not that helpful. "Look ma! I stole Adam Gulkis's hard disk, now the secrets of the screaming viking lie open before me!" "That's nice dear, why don't you pop it in the machine and show your father?" "Okay <rummages with screwdrivers> Awww, Jeez, he used Norton DiskLock, I can't mount the drive." "Here's a Silverlining disk, just 'update' the driver." "Aw, thanks mom!" You really do need to encrypt the drive, otherwise methods such as replacing the drivers or reading the disk with a microscope will extract the data quite easily. A friend of mine just got back from a kerberos conferance at MIT, at dinner one night they were talking about fun-n-easy ways to extract data from a machine. One of them mentioned that after a while, a "on" bit in RAM tends to leak out onto the surrounding sillicon, providing a record of your memory. I'd imagine that your PGP passphrase sitting in one location in memory for a few days would burn itself in pretty good. The solution to this problem is to invert your RAM every once in a while, so each bit is on and off for about the same amount of time. I wonder if it'd be possible to build a device that goes between your motherboard and your SIMMs that would invert and decode your RAM. I could see wierd timing issues popping up, but I don't know enought about OSes and computer architecture to know. Of course, no computer is "secure" without a thermite charge above the hard drive, and a tamper-resistant case. "Well, Billy, the Sevret Service is here, they want to take away your computer (and telephone, and cassette tapes ,and etc.)" "Okay, mom. It's right over here, Mr. Scarry Secret Service dude." <lift> "Ffffffts" "Hey, Billy, what's that smoke coming out of your computer?" Jer "standing on top of the world/ never knew how you never could/ never knew why you never could live/ innocent life that everyone did" -Wormhole -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMo0zPskz/YzIV3P5AQELwwMAgvAXIyzTpr6L4Niuy8G+dxzdRxNMBXB2 T8GvoXSLnD5DId/pefMHuKBg2qbKwUyEiQJH9wlUaY2Iq6XO4/nU5lMxyFUkkMbN 8Uah5HDxJ3r/UxWRXGFYXbaKlxuSkw0F =edZH -----END PGP SIGNATURE-----